I'd like to see a couple generic turnkeys. The first proxies DNS, pointing to a DNS server of choice. The second is a reverse proxy server, probably Nginx, configured to point to another server for a chosen protocol. Hopefully they can have simple web administration interfaces with firewall setups. The key features would be to have simple, secure appliance-like VMs that require little to no support. Read-only filesystems would be a plus, even if it has to reboot in between read-only and read-write mode. Thanks for your consideration.

Although I'm not 100% sure if I get your point. A DNS server can easily be installed and configured to forward DNS requests anywhere you like. Is that sort of what you were after?

And yes a reverse proxy would be nice. The simplest one I have found following my searching is Pound (and here is more info and instructions for setting it up - should work, except leave the 'sudo' command out). I have tried to configure Nginx and ended up giving up... I couldn't manage to get it to work. Also problem with Nginx is that there doesn't seem to be a nice WebUI for configuring it, so I expect that it won't be a very newb friendly appliance, even with some initial config. So if the devs did a reverse proxy appliance, I suspect they'd use Apache instead. Although Pound doesn't seem to have a nice WebUI either, it also seems much easier to config than Nginx.

VPN wouldn't allow the public to access it, which misses the point of having a proxy server there. The AD would be on the internal network, with the DNS proxy exposed to the public to get select AD DNS zones out to the public.

Personally I think exposing AD in any way, shape or form seems like a bad idea. And TBH I'm not really sure what you would be trying to achieve doing that. I'm sure there would be a better, more secure way to achieve your ends whilst keeping AD safely locked away, preferably behind a hardware firewall! (With no incoming connections except via VPN)

I saw something about a web administration module for Nginx, served by Nginx itself, called mod_wsgi, and is based on python. It's not my language of choice, but encaptulated wouldn't be bad, I suppose. I also like the idea that nginx does imap/pop3 proxy, which might be a plus for helping to proxy Exchange. Personally, I prefer working with Linux, but management wants Windows; I'm sure it's because it's easier to hire Windows people.

It is so you can use raw Python to create web apps. Have a look here. There may well be a Python web app that has been built to admin Nginx that requires mod_wsgi to work, but mod_wsgi doesn't do that on it's own. Besdies it's an Apache module (although perhaps someone ported it to Nginx too!?)

Squid may be another good proxy option. Squid can proxy pretty much any protocol AFAIK, and it can act as a caching proxy too (which Pound can't).